Team Members

Tagged MSPs

Categories

In joining the company I found that we had 3 unreliable Check Point UTM1-270 series firewalls. One in our Headquarters, one in Amsterdam, and the last in our Croydon, UK office.

On a weekly if not daily basis the firewalls would crash or connectivity to the Internet, Outlook, or other resources became extremely slow. In reviewing the configuration it became apparent that the HQ's could not operate on this series due to the level of traffic being generated for email, web, Remote access VPN, site-to-site VPN, and backups. At the same time the firewalls had all blades enabled and in monitoring the resource usage on the firewalls I could see this.

After becoming familiar with the environment of all three sites and the Check Point firewalls (had not touched these in 10 years) functionality and features I began to devise my plan. What blade's were necessary on each firewall? e.g. No need for spam filtering on the UK and Amsterdam end when all emails arrived via the US Check Point. With the time differences between all sites when was a good time to push backups? What traffic was not business related and was not being filtered due to missing policies for application and URL filtering?

After finding the answers to the questions above and some others not listed here (internal core switching issues) I mapped out what devices from Check Point should be implemented at each site. The US being the center with the most users was going to receive a Check Point 4400, Amsterdam being the second largest running a dedicated instance of our ERP would receive a 4200, and finally the same for our Croydon office.

The US was the first office to be done on Saturday afternoon. The change took no more than an hour since I had previously spent a week dedicated to configuring, testing, and reviewing my setup. The wonderful thing is as soon as the 4400 came on-line the connection to our Amsterdam office came right up. At that time the Amsterdam office still had the UTM1, and we had no tunnel to Croydon because the previous IT Service Provider said there were compatibility issues.

Over the next month I took my time in configuring the replacement security gateways for each office. At the same time I created a plan to work on stabilizing the core of the network through switch upgrades, cabling, etc. I knew without this being sound the chances of the project being successful overseas were slim to none.

During a week in May I travelled overseas. With the preparation I did in advance each cut-over to the new 4200 series firewall was literally plug-and-play. IPSEC tunnels up, Remote access working, and new security blades working and catching threats.

Monitoring these devices present day there is no more issues with lack of CPU and memory resources. The tunnels just work and users are reporting less issues by the day.